Your complete guide to GDPR compliance

• What to expect from the updated laws
• What you will need to do in order to comply with GDPR

Introduction to GDPR

The General Data Protection Regulation (GDPR) is undoubtedly one of 2017’s hot topics. GDPR will have a huge impact on marketing, with significant changes to the existing Data Protection Act.

This guide summarises what you can expect from the updated laws and what you’ll need to do in order to comply. Once your team have understood the upcoming GDPR it is essential to review your entire strategy and processes. By doing so you will ensure that you are well equipped to make the necessary changes and updates in good time.

Section 1: Why GDPR?

The General Data Protection Regulation (GDPR) is a channel-neutral document that lays out the new data privacy laws and applies to all EU citizens, as well as laws regarding personal data relating to EU citizens collected outside of the EU. The new GDPR is a detailed document that is split into 99 articles, each explaining specific issues and supported by a total of 173 recitals.

Why?

Technological advances have been huge since 1995 (when the Data Protection Directive was first established). The GDPR will work to acknowledge and control online advances and smartphone developments.

With the technological advances of the last few years, the public have lost a lot of trust in organisations that are collecting personal data and are unsure about exactly how their data is kept and what it’s used for. The GDPR will help the UK ensure we continue to become a digital-first society and minimise the confusion and distrust that has dominated the data protection world in the eyes of the public.

Who?

In the past, the EU member states have been able to interpret data protection laws quite differently so regulations have varied from state to state. The aim for the upcoming GDPR is to harmonise data protection and allow the free flow of data between all EU member states. The government have confirmed that the UK will follow compliance with the GDPR, despite leaving the EU.

Where?

The GDPR applies to all EU countries as well as countries outside of the EU that collect data from EU citizens. For example, if you were a company that operates in the US and collects data from Germany, you’d still be under the same legal obligations as though your headquarters were based in the EU.

When?

The GDPR was first published in January 2012 by the EU commission. The document itself currently remains in the negotiation and development stages and, until the final date of 25th May 2018, more changes and tweaks will take place. We will continue to provide updates along the way so stay tuned to our blog for future announcements.

GDPR fines & penalties

Not complying with the new regulation can cost a business up to €20million or 4% of the company’s annual worldwide turnover (whichever is higher).

Penalties can also include audits, warnings and temporary or permanent bans. Breaches of the GDPR are not made public. However, if regulatory action is taken, such as a fine or warning, this would be publicised.

Ensure all relevant staff have up-to-date training on data protection and the new GDPR changes to minimise the risk of breaches.

Section 2: More about the ‘Why’

Focusing on the ‘Why’ helps you to understand what needs to be done to become GDPR compliant. As we mentioned earlier, the reason the GDPR was developed was to focus on increasing trust between the public and organisations before it’s lost. The importance of this is to help the consumer take back control of their personal data and to ensure that the UK continues to progress to become a data-driven nation.

According to a recent study conducted by Catapult Digital, 79% of consumers believe the primary use of personal data is for an organisation’s financial gain. What’s more, 30% stated that they feel that the retail industry is most guilty of using their personal data without being clear on how they’re using it.

Trust is a clear issue amongst the public when it comes to personal data. The GDPR was written for the consumer; it gives control back to the individual to determine how his/her data will be used.

Largely what the GDPR will do for organisations is to work on rebuilding that trust between them and their consumers. Companies will be required to be absolutely clear and transparent about the personal data that they collect, how it will be stored and how they will use it.

Let’s draw on the positives of the data protection updates that come with the GDPR; think increased data sharing and better revenues if you really demonstrate good data governance.

Six key updated principles from the Data Protection Act

The new focus for the GDPR is on transparency and accountability. The six principles below reflect the key updates to bear in mind when accessing your Data Policies:

1. Lawfulness, fairness & transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity & confidentiality (security)

Key focus for GDPR is transparency & accountability.

Section 3: Individual’s rights

The GDPR provides the following rights for individuals:

1. The right to be informed
2. The right of access
3. The right to erasure
4. The right to object
5. Rights in relation to automated decision making and profiling
6. The right to rectification
7. The right to restrict processing
8. The right to data portability

In addition to profiling and the rights to object to marketing, the GDPR creates some new rights for individuals as well as strengthening some of the rights that currently exist under the Data Protection Act (DPA):

1. The right of access

This right allows individuals to demand to see what data is held about them which is now free of charge; the removal of the £10 subject access fee is a significant change from the existing rules. The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of, and can verify, the lawfulness of the processing.

2. The right to data portability

This right allows individuals to obtain and reuse their personal data for their own purposes across many different services. The portability right allows individuals to move, copy or transfer their personal data from one IT environment to another in a secure and safe way.

3. The right to erasure

The right to erasure is also known as the ‘right to be forgotten’. This regulation enables individuals to request the deletion or removal of personal data, which should be removed by the data controller immediately.

Section 4: Consent

The GDPR defines valid consent as unambiguous consent. There will be no more pre-ticked boxes, no more assumptions; in other words, it will be harder to obtain consent.

The data subject (individual) needs to give a clear, affirmative action to agree to the processing of their personal data.

Every submission of personal data must be:

• Freely given
• Specific
• Informed
• Unambiguous

The consent challenge

So, how do you persuade consumers to share their data?

• Offer incentives
• Be completely clear on what the consumer will receive once they’ve submitted their personal data
• Be completely clear on storage details and who the information will be shared with

Example for consent collection:

Consent Q & A

Q: Can we still use a pre-ticked box as consent?

A: No, GDPR doesn’t class a pre-ticked box or any form of inactivity as valid consent. The Data Subject must make an affirmative action for their consent to be valid.

Q: When we’re asking for consent, can we get the consumer to
tick a box and provide them with a link to our privacy policy?

A: You need to make it absolutely clear what the consumer will be signing
up to and how the key information will be used (including marketing) at
the point of data collection. You can still link to a privacy policy for
further details.

Q: If we include consent conditions within our terms and conditions, is that enough?

A: The days of hiding consent conditions deep within terms and conditions are over. It must be clear and separate from the other information within the details. Consent wording must be intelligible, easily accessible and use clear and plain language.

Q:How should we write the consent wording?

A: Consent wording must be intelligible, easily accessible and use clear and plain language.

Q: Can consent be conditional?

A: No, and this is a new change to the consent process included within the GDPR. Supplying a service or product or entering a competition does not count as valid consent. You must give the consumer a real choice whether or not they want to give you their consent.

Q: What is the best way to gain valid consent if purchasing a product or service?

A: The best way to ensure that you’re fully compliant with the GDPR is to include a separate opt-in option at the point a consumer joins/purchases by encouraging them to sign up to receive updates via email, for example.

Q: We’ve got historic lists – will they still be valid?

A: If your current data hasn’t specifically been collected using affirmative consent for all activities, or you don’ t have a record of the sufficient explanation required, then you’ll have to gain fresh consent. Basically, all historic data may only be kept and used if you have records of how you collected it, the wording used and what customers opted in to receive.

Section 5: Database requirements

The main change when it comes to databases is that you’ll have to keep these copies of consent within them. Unfortunately, this may mean some development work will have to take place to allow you to record sufficient data in your existing systems. If you’re looking to change your data management software, find one that already has this functionality for a smooth transition.

Consent that you should be able to record:

• “I give third-party consent”
• “I said stop profiling me” (including date)
• “I objected to processing under Legitimate Interest” (including date)
• “I consented to marketing by *channel” (date & wording)

New database requirements

Let’s go over the impacts that the GDPR will have on databases and records of processing…

Organisations must be able to demonstrate that an individual consented to the processing of their personal data. This must include both when and what mechanism was used to collect data. Not only this, but you’ll need to retain indicative copies of data collection forms, whether they’re online forms, telephone scripts or anything else, as well as changes that are made to these documents.

Valid records of consent for your database:

Phone: If consent is given over the phone, you’ll need to keep a recording of when consent was granted.

Online: If an online form was filled out, a copy of this must be kept and saved.

Section 6: Personal data

The definition of personal data is very wide, as it now includes many online identifiers, for example Facebook profiles and IP addresses if an individual can be identified from that information.

Special categories

Sensitive personal data is referred to as ‘special categories’ of data under the GDPR. These special categories can only be processed with explicit consent and you should always ensure that great care is taken to prevent any unauthorised use.

Special categories within the GDPR are:

• Racial or ethnic origin
• Political opinions
• Religious /philosophical beliefs
• Trade Union membership
• Genetic data
• Biometric data
• Data containing health or sex life
• Sexual orientation

You should also bear in mind that criminal record data also requires special treatment.

Section 7: Data processing

Data processing is when any operation is performed on personal data. Examples of this are structuring, storing, recording or analysing the data in question. A data processor is an organisation that processes data on behalf of the data controller.

What obligations do data processors have under the GDPR?

• Outsourced service providers that are acting as data processors on your behalf will now be liable for breaches, where they have been responsible for a breach. Outsourced data processors will have to prove their compliance under the GDPR and will share liability for compensating damages.
• Article 3 states that the GDPR applies to:
• The processing of personal data in the context of the activities of an establishment of a controller or a processor in the European Union, whether or not the processing takes place in the European Union
• The processing of personal data of data subjects who are in the European Union by a controller or processor not established in the European Union where the processing relates to the offering of goods or services (whether free or paid for) or the monitoring of behaviour which takes place within the EU.

Lawfulness of processing conditions:

Contracts with Data Processors

It is vital to ensure you have the following documented in a contract with any outsourced data processor on your behalf will now be liable for breaches, where they have been responsible for a breach. Outsourced data processors will have to prove their compliance under the GDPR and will share liability for compensating damages.

• Documented instructions for processing
• Staff confidentiality
• Security of data
• Approval of subcontractors
• Assistance in fulfilling data subjects’ rights

Data processors – requirements:

1. Implement procedures to assist the data controller to comply with the right of data subjects.
2. Assist the data controller in complying with other regulatory requirements, such as obtaining approval from relevant data protection authorities.
3. Impose confidentiality obligations on all personnel processing relevant data for the data processor.
4. Return or destroy personal data at the end of the data processing relationship (at the data controller’s choice).
5. Provide the data controller with all information required to demonstrate compliance with the GDPR – this may involve including audit or inspect provision.

Section 8: Data Profiling

Data processing is characterised as “profiling” when it involves automated processing of personal data and then using that personal data to evaluate certain personal aspects relating to a natural person.

Specific examples as stated by the GDPR include analysing or predicting “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”

What about cookies? The use of cookies on a website where the IP can be
linked to an individual is considered as data profiling.

There are 3 key elements to profiling:

1. It has to involve personal data – the use of nonpersonal data to make an automated decision is not covered.
2. The processing has to be automated – profiling and decision making by a human being is not covered.
3. It has to be used to evaluate certain personal aspects relating to an individual.

Top tips for data profiling

• Make sure you use appropriate mathematical or statistical procedures for the profiling.
• Automated decisions should not concern a child or be based on the processing of special categories data.
• Ensure you implement the appropriate technical and organisational measures to enable inaccuracies to be corrected and to minimise the risk of errors.
• Inform all data subjects that they are being profilled before or on the first communication using clear, transparent language which is separated from other information.
• Data subjects have the right to object to profiling so it’s best to inform them of what the consequences might be if they do.

Section 9: Checklist to get you GDPR ready

1. Ensure your organisation knows about the new GDPR rules that come into place from the 25th May 2018.
2. Review the ways you currently achieve and retain consent and assess if these will be valid under the new GDPR.
3. Make sure there is a swift procedure in place for action on a request to withdraw consent. This must be demonstrated by policy and process.
4. You must be able to show how the data subject has consented to processing their data, which means recording who gave consent and how. Silent consent, pre-ticked boxes or inactivity does not count as consent.
5. Check and update your privacy notices.
6. Consider if you need to appoint a data pr otection officer.
7. Consider how GDPR may impact on any international data transfers you carry out.
8. Consider how you manage risk and how data protection is dealt with in your risk assessment framework.

Section 10: Glossary of key terms

• Data controller – A data controller is the organisation that collects personal data and decides how it will be used.
• Data processor – A data processor is the organisation that processes personal data on behalf of the data controller.
• Data subject – A living person who can be identified fr om data held.
• Personal data – Any information relating to an identified or identifiable person or data subject.
• Processing – Any operation performed on personal data. This includes structuring, storing, recording, analysis.
• Profiling – Any form of automated processing of personal data used to make a decision about an individual. In particular, to analyse a person’s preferences, interests, behaviour, location or movements.
• Pseudonymisation – Processing personal data so that no piece of data can be attributed to a data subject without the use of additional information held separately.